I can understand why one might desire to purchase a certificate for multiple years but I am left wondering why it appears to be possible to obtain a valid certificate for a domain that may have come under new ownership by way of registering for a short period, deleting and allowing the third party to re-register the name as planned. What's the deal here?

Does indeed sound broken, but it still seems like a minor issue compared to the huge number of CAs any of which could compromise your security by issuing a certificate they shouldn't have issued.
–
kasperdJun 18 at 8:00

1 Answer
1

There's just no way to fix it. Even if the registration period is two years and a one year certificate is issued, you could still sell or drop the registration next week. There's nothing the certificate authority can do about that. (Well, I suppose they could monitor the registrations and if there's a change in registrant, they could revoke the certificate. I've never heard of any CA doing that though.)

Is there even a way for the registrar to discover which CA signed certificates for the domain, in order to announce the change of registration data?
–
curiousguyJul 1 '12 at 15:15

3

No. I was suggesting the CA could monitor the registration.
–
David SchwartzJul 1 '12 at 15:17

I guess I’m interested in the technical limitations behind this. Why can I buy a valid certificate that will be recognized by pretty much all major players valid for 5 years when my domain is only registered for 1? Everything about this seems shady.
–
MattJul 2 '12 at 8:38

4

@Matt "the technical limitations behind this." The technical limitation is that there is no minimum time before you loose control of a domain, either by selling it to someone else, cancelling it, or if somebody else can contest your domain registration (f.ex. if you have provided incorrect information at registration time, someone could prove that your registration is not valid, so it would be cancelled). So maybe the certificate should only be valid for a few hours/minutes, before you get a chance to sell your domain. Maybe you should look at DNSSEC as an alternative.
–
curiousguyJul 6 '12 at 23:39